‘Stagefright’ Bug Could Affect One Billion Android Devices

“Worse than Heartbleed” flaw could allow Android phones to be taken over while they sleep, say researchers, who warn some devices may never be patched

Security researchers have uncovered flaws affecting nearly all Android devices that they say could allow a smartphone or tablet to be automatically infected with malicious code via a specially crafted MMS message.

The vulnerability, which makes use of a media library named ‘Stagefright’, affects 95 percent of Android devices, or about 950 million units, according to Zimperium zLabs, which said vice president Joshua Drake plans to present his research around the flaw at next month’s Black Hat USA and DEF CON 23 conferences.

‘Worst to date’

Mobile securityZimperium said it believes the flaws in Stagefright are “the worst Android vulnerabilities discovered to date”.

“If ‘Heartbleed’ from the PC era sends chill down your spine, this is much worse,” the firm said, alluding to a bug disclosed last year that was estimated to leave 17 percent of the Internet’s secure web servers vulnerable, and which security experts called “catastrophic”.

When an MMS message containing video is received by a handset, the affected versions of Android automatically create a preview of the video using Stagefright. The flaw means that a specially crafted message could trigger a memory corruption vulnerability in that library, giving an attacker sufficient privileges to execute arbitrary code.

Zimperium said the vulnerabilies exist in part because Stagefright is written in native C++ code, which is more prone to such issues than languages such as Java.

Because the flaws make use of an automatic process that’s switched on by default in the affected devices, they don’t require any user interaction, and thus can be made entirely invisible by a sophisticated attacker, who could for instance craft exploit code that would remove any sign that the malicious message had been received.

“This vulnerability can be triggered while you sleep,” Zimperium said in its advisory. “Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.”

Slow updates

android Fake ID flaw BlueboxAndroid-based devices using version 2.2 and later of the operating system, or roughly nine in ten devices, are vulnerable but include some mitigations, such as sandboxes that isolate individual applications, and which an attacker would have to specifically overcome, Zimperium said.

“Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult,” Google confirmed to TechWeekEurope. “Android devices also include an application sandbox designed to protect user data and other applications on the device.”

Devices running earlier Android versions, about 11 percent of the total, don’t include those mitigations and as such are more vulnerable, according to Zimperium.

The firm said Google applied patches to the Android code within 48 hours, but devices would require an over-the-air firmware update in order to receive the patches, a process that’s slow for most handsets and nonexistent for some, the update mechanism varying depending upon the manufacturer of the handset.

“Devices older than 18 months are unlikely to receive an update at all,” Zimperium said.

Ways to mitigate the issue

AndroidIn the absence of a patch, users can mitigate the flaw by disabling Hangouts, the default Android messaging application, which generates the automatic MMS previews – but they would still be vulnerable if they accidentally viewed a malicious message, Zimperium said.

Another option would be to disable MMS messages via the handset’s carrier settings or, for more advanced users, to use specialised tools to gain administrator access to the device and disable the Stagefright library or manually install a patched version of Android.

Google confirmed it has ranked the severity of the bug as “high”, and Drake said he received $1,337 from the search company for providing the research.

“We thank Joshua Drake for his contributions,” Google stated. “The security of Android users is extremely important to us and so we responded quickly.”

Are you a security pro? Try our quiz!